Process for Assessing Risk

Assessing risk is a process and as such, is something that must be periodically repeated. It's really not much different from the automated patch-management tools you are probably using. True security requires ongoing effort. There is never a wrong time to assess risk and examine network vulnerabilities. There are three key points at which assessments should be considered:

1. When a new program is developed, a risk analysis should be performed to establish the security state of the system. An analysis performed early on like this helps establish whether security problems exist. This is beneficial when new code or applications are developed for which problems can be found and fixed early on.
2. An analysis of risk should be performed whenever changes are made to systems, processes, or programs. A risk analysis performed during this time is instrumental in uncovering vulnerabilities that occur as a possible side effect from the change.
3. A vulnerability assessment should be performed periodically to examine the controls that have been implemented. It's also advisable anytime there has been a breach in security, an intrusion, or an attack. At this point, the assessment is critical because it can help uncover how the breach occurred and discover what problem in policy or system vulnerability allowed the event to occur.

Note

In Chapter 4, "Risk Assessment Methodologies," you learn more about the methodologies that can be used to assess and analyze risk.

What is important to note at this point is why developing a risk assessment process is so important. A primary reason is to show due care and due diligence. Other reasons include the following:

• Maintain customer confidence.
• Protect confidentiality.
• Prevent inappropriate disclosure.
• Ensure the integrity of the organization's informational assets.
• Ensure that the organization's resources are not misused or wasted.
• Comply with state, provincial, and federal laws and regulations.
• Avoid a hostile workplace atmosphere.